YiSpecter: Drop your iPhone, Mr Bond*

[Update]

Claud Xiao responded to my (very mild) criticism in the original article below, making several points I think are well worth making.

In the past 5 years, there were over 10 malware, Adware or PoCs can affect non-jailbroken iOS devices. Except for some PoCs, all others were developed by public iOS APIs. Which means, what they can do (and what they did) are predictable in some ways and are managed by the system. For example, the famous FindAndCall collected contacts’ phone numbers and sent to its C2 server for further abusing; the recent scammer Oneclickfraud displayed a page asking your to purchase.

Compare with them, the primary difference in YiSpecter is that it abused private APIs to implement some unexpected functionalities. For example, it can hijack other apps launching to display ad. Actually, compare with this malware itself, I more care about how this technique can be and will be used by others in the future. According to some academia works (referred in the report), an app can do pretty much sensitive operations by this way, and App Store’s review on it is still not strict enough. Most people may thought malware, Adware or PUP can’t have really harm infected non-jb iOS. But since YiSpecter, rules changed. This is what exactly I mean on its “different”.

The title and the article are slightly misleading in that Xiao states that:

YiSpecter is different from previously seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices through unique and harmful malicious behaviors.’

In fact, as Axelle Apvrillepointed out for Fortinet last year – in an article called iOS Malware Does Exist – malware that can affect non-jailbroken devices was already known. Still, those examples look fairly puny compared to the impact that YiSpecter has had.